Healthcare providers can access information within My Health Record for the purpose of lessening or preventing a serious threat.
Bydefault, documents in an individual’s My Health Record are set to general access for registered healthcare provider organisations. This means a treating healthcare provider can view all documents within an individual’s record, except for information that has been entered in the personal health notes section of the record, and any documents that have been removed or hidden by the healthcare recipient (or their representative(s)).
Healthcare recipients (or their representative(s)) can choose to restrict access to their My Health Record (using a record access code) or to restrict access to specific documents (which they can share with selected organisations, using a limited document access code):
- Where a record access code has been set, a treating healthcare provider will be prompted by their clinical information system, or the My Health Record National Provider Portal, if a record access code is required. When this occurs, the healthcare provider can ask the healthcare recipient to share the record access code.
- Where a limited document access code has been set, the healthcare recipient (or their representative(s)) can choose to provide the treating healthcare provider with the limited document access code. The healthcare provider will need to enter the limited document access code into their clinical information system, or the My Health Record National Provider Portal, to gain access to the restricted document(s).
There are certain urgent situations, defined in the My Health Records Act 2012 (section 64), where it may be permissible for treating healthcare providers to access information in a person’s My Health Record without entering the relevant access code(s) using a function known as Emergency Access. This is sometimes referred to as a ‘break glass’ function. It is important to understand when this function can lawfully be used.
Appropriate use of emergency access
It is expected that the need to use Emergency Access will be rare, as Emergency Access to a healthcare recipient's My Health Record (or a restricted document within it) is only authorised under the My Health Records Act if the healthcare organisation reasonably believes that:
- the access is necessary to lessen or prevent a serious threat to an individual’s life, health or safety and the healthcare recipient's consent cannot reasonably be obtained. For example, due to being unconscious; or
- the access to the healthcare recipient’s My Heath Record is necessary to lessen or prevent a serious threat to public health or safety. For example, to identify the source of a serious infection and prevent its spread.
In addition, the majority of people have not set any access controls, which means information in their record is not restricted. In most cases, therefore, you will be able to see all available health information, for the purpose of providing healthcare, without needing to use Emergency Access.
When not to use emergency access
A person should not use Emergency Access:
- to view their own My Health Record or a My Health Record of a family member – people can access their own record via MyGov or an available mobile app
- to demonstrate how to use the Emergency Access function – training resources are available on the My Health Record website for this purpose
- to check whether any restricted documents exist (except, in accordance with section 64 of the My Health Records Act, where the treating healthcare provider reasonably believes that access is necessary to lessen or prevent a serious threat to the individual’s life, health or safety and it is unreasonable or impracticable to provide consent; or to lessen or prevent a serious threat to public health or safety).
- when an individual has forgotten the access code they have set (except, in accordance with section 64 of the My Health Records Act, where the treating healthcare provider reasonably believes that access is necessary to lesson or prevent a serious threat to the person’s life, health or safety; or to lessen or prevent a serious threat to public health or safety) – a person can reset their access code by logging into their My Health Record, or telephoning the My Health Record helpline 1800 723 471.
Use of the Emergency Access function that is not authorised by section 64 of the My Health Records Act is subject to civil and/or criminal penalties under the My Health Records Act.
Once granted, emergency access to a record is available for a maximum of five days. When this period ends, the My Health Record reverts to the previous settings. If the emergency situation continues beyond the initial five-day period, you will need to request Emergency Access again.
Use of the Emergency Access function is recorded in the access history of the My Health Record, which can be viewed by the healthcare recipient and their authorised or nominated representative(s). In addition, healthcare recipients can choose to receive an SMS or email notification each time the Emergency Access function is used to view their My Health Record.
With Emergency Access, any access controls that the individual has set will be overridden. This means the treating healthcare provider who uses the Emergency Access function will have full access to the healthcare recipient’s My Health Record, except for information that has been entered in the personal health notes section of the record, and any documents that healthcare recipient (or its authorised representative(s) has previously removed or hidden.
Notification provisions under section 75 of the Act
It is important to note that registered healthcare provider organisations are subject to reporting obligations under section 75 of the Act. Consequently, unauthorised use of the Emergency Access function may be reportable to the Office of the Australian Information Commissioner (OAIC) and the Agency (as System Operator).
Learn more about managing data breaches, including section 75 notification obligations.
This information is general in nature, and you should obtain your own professional legal advice relevant to your circumstances.
You can find out more about the My Health Record Emergency Access function from the OAIC, including: